Bad Rabbit Reminds Us That Ransomware is Here to Stay
By: Carolyn Crandall
When my kids were little, I used to read them “Pat the Bunny,” a “touch and feel” book where they could feel the fur of a rabbit (fake), or sandpaper that represented dad’s scratchy face in the morning. As we have learned in the last couple of weeks, however, not all bunnies are cute and snuggly. The latest ransomware to emerge onto the world scene is Bad Rabbit. This threat contains 67 percent of the same code as NotPetya’s DLL, pointing to the potential that the two malware variants originated from the same threat actor.
Bad Rabbit portrays itself as an update to Adobe’s Flash multimedia software. Users are tricked into refreshing their Flash, which allows the malware to download, where it then encrypts files on the user’s computer, causing it to become inoperable unless the user pays a bitcoin ransom within a specified time period. Even worse, Bad Rabbit attempts to spread within the network of an infected company, causing the company to slowly come to a stop.
Bad Rabbit reminds us that ransomware is here to stay and that attacks are increasingly sophisticated. Verizon’s 2017 Annual Data Breach Investigations Report (DBIR) devotes considerable space to ransomware, noting it has jumped from the 22nd most common variety of malware in its 2014 report to the fifth most common in this report. The targets and attack surfaces continue to evolve, making them increasingly harder to prevent.
A very significant change in 2016 was the increased targeting of organizations over individuals. Emails replaced web drive-by downloads as the primary attack vector in 2016. Emails were often targeted at specific job functions such as HR and accounting, where employees are more likely to open attachments or click on links.
While we at Attivo Networks generally applaud innovation, it’s very concerning to know attackers are bringing new innovations to ransomware technology and extortion methods as well. Moving beyond file encryption, which has been the standard MO of ransomware authors, attackers have moved into master boot record locking, and partial and full disk encryption, to up the ante on targeted organizations. Execution time differences between real and virtual machines, unexpected command-line arguments and short lists of Microsoft Office recent files are among the approaches being tried to avoid detection by sandboxes.
In addition, attackers are offering ransomware-as-a-service, enabling anyone to disable a target, earning additional fees in the process. The introduction of time limits, after which ransom demands would increase or files would be deleted, ransoms calculated based on the perceived value of files, and even decrypting files on the condition the target organization helps to infect others are among the experiments in ransom demands being implemented.
While Winston Churchill’s quote, “I have nothing to offer but blood, toil, tears and sweat,” would seem suitable here, I choose to be more optimistic. Organizations must train their employees, keep security patches current, and religiously follow the best practices that have been covered in this blog and by many other organizations, including one technology consultancy below. It is generally accepted in this day and age that achieving a 100 percent perimeter security defense is not realistic. To reduce attacker dwell time, organizations should know immediately when their perimeter security controls fail and should be able to respond quickly. To do this, companies should focus on deploying a layered security infrastructure that includes the best perimeter defense as well as tools for early detection and response for threats inside the network. Organizations are starting to recognize that their perimeter has or will be compromised, and are including a solution that identifies emerging attacks. No one solution can do everything.
And, don’t just take our word for it. Technology consulting firm TeamLogicIT® lists five initiatives that should be part of any organization’s cyber defense strategy. These include:
- Increase cybersecurity awareness and education – this includes instructions such as training employees to never open email attachments from unknown senders or sources, and avoiding the enablement of macros from any email attachment.
- Implement a white list – TeamLogicIT encourages IT teams to go beyond blacklisting websites known to carry malicious programs and create white lists, which point users to websites known to be secure.
- Manage permissions – Restricting permission levels can prevent malware from running or spreading quickly.
- Leave technology to the experts – Consider IT managed service providers (MSPs) that specialize in cybersecurity. They can implement the latest solutions as well as monitor for intrusions and support recovery from incidents.
- Deceive the Deceivers – TeamLogicIT points to deception tools that bait ransomware attackers with false data on decoy networks. Malware attacks decoys, keeping it away from real devices and data and giving cyber teams the chance to detect intrusions before damage is done.
The Attivo ThreatDefend™ Detection and Response Platform is a valuable component of an aggressive, adaptive defense. In October, we expanded the Platform’s capabilities with the introduction of Adaptive Deception Campaigns, which use machine learning to create and automate the deployment of campaigns that bolster deceptions to address the evolving threat landscape and ever-changing attack surface.
If deception technology is on your mind, it’s still not too late to meet us on our November/December Global Deception Technology Tour. Dates and locations of where we will be presenting are here. We look forward to seeing you!